This is great for a privileged user, however….if a “mere mortal” attempts something like this, the response is “access denied.” It mostly makes sense, because in order to change a password, ordinarily one must prove authenticity by providing the old password. (Privileged users are exempt from this because of need…to force passwords when users forget them for example.) It is like net user /domain in that sense, with the domain in AD assumed to be the domain of the machine into which one has logged, IIRC.